CVE-2026-43384 Git CVE debrief

Who should care

Linux kernel maintainers, distro security teams, appliance and embedded vendors shipping Linux kernels, and operators of systems that use or expose TCP-AO. Network-security teams should prioritize this if TCP-AO is enabled in production or on internet-facing systems.

Technical summary

The CVE description says the Linux kernel's net/tcp-ao code compared MACs in a way that was not constant time. Because MAC verification should not vary its runtime based on how much of the value matches, the resolved change uses the appropriate constant-time comparison helper. The issue is therefore a timing-side-channel risk in authentication verification logic rather than a memory corruption flaw.

Defensive priority

Urgent; treat as critical and prioritize kernel patching/backport verification immediately.

Recommended defensive actions

• Apply the vendor or distribution kernel update that includes the TCP-AO constant-time MAC comparison fix.
• Verify any backports in stable kernel branches include the net/tcp-ao timing fix before deployment.
• Prioritize exposed or high-trust systems that use TCP-AO for authentication.
• If TCP-AO is not required on a system, restrict or disable its use until patched.
• Track downstream advisories from your Linux distribution or kernel vendor for exact fixed versions.

Evidence notes

This debrief is based on the CVE description stating that net/tcp-ao needed constant-time MAC comparison, plus the official NVD record and its four kernel.org stable commit references. The supplied NVD metadata shows vulnStatus as 'Received' and CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, consistent with a remotely reachable critical issue.

Official resources